Unable to access Event Store in Azure VM remotely

[Jason Mitchell]

Hi all,

I'm trying to run Event Store 3.4.0 in a VM hosted inside Azure and I can access it on the VM but not externally.  I've had similar problems with running it on Linux and Windows Server 2012; I would prefer to run on Linux but will keep this post specific to Windows since I'm more familiar with it (and currently have a VM to try solutions on).

What I have done:

1. Created Windows 2012 R2 VM in Azure
2. Added ports 1113 and 2113 to the Network Security Group in Azure
3. Changed the VM public IP address to be static in Azure 
4. Downloaded and run Event Store in admin PowerShell: .\EventStore.ClusterNode.exe --db .\data --log .\logs --ext-http-prefixes="http://*:2113/"
   At this point I can access the Web UI locally on the VM by browsing to http://127.0.0.1:2113
5. Run: netsh http add urlacl url=http://+:2113/ user=someadminuser
   This seems to break access to the Web UI locally on the VM; getting 503 errors.  "netsh http show urlacl" shows only one entry for 2113 (see below)
6. Run from remote machine: curl --head http://vm-ip-address:2113/
   This returns "Operation timed out"
7. Removed urlacl and replace with "http://vm-ip-address:2113/" to see if it would work...
8. Also tried running Event Store as: .\EventStore.ClusterNode.exe --db .\data --log .\logs --ext-http-prefixes="http://*:2113/" --ext-ip=vm-ip-address

Any help would be appreciated.  I'm at a bit of a loss of what to try next.

netsh http show urlacl:

Reserved URL            : http://+:2113/

    User: someadminuser

        Listen: Yes

        Delegate: No

        SDDL: D:(A;;GX;;;LA)

[Jason Mitchell]

Just to point out the urlacl snippet above is just a small chunk of the full output

[Yorick Laupa]

After a very quick skim, it seems you only need to add proper endpoint ports (TCP or HTTP depending on your needs) to your VM

Sent from my iPhone

--
You received this message because you are subscribed to the Google Groups "Event Store" group.
To unsubscribe from this group and stop receiving emails from it, send an email to event-store...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Jason Mitchell]

Isn't that essentially what adding the ports to the Network Security Group in Azure will do?

[Jason Mitchell]

I've also allowed the ports in the Windows Firewall

[James Nugent]

This depends on the deployment model. If using the hosted service model then probably not. An interesting test is to run an echo server on port 1113 and see if that is accessible from outside: if not it is an Azure configuration problem rather than an Event Store configuration problem.

[Brian Gambs]

We're not able to use the new RM based VMs yet - so I am more familiar with the endpoint security model then NSG model. That said, it's my understanding that if you assigned a network security group to a VM and open ports in the NSG you also need to explicitly open the port to the internet (by default it's only visible within the vnet, I believe.) You don't specify your exact NSG rule, so if you haven't done that, maybe that's a thing. e.g.

Get-AzureNetworkSecurityGroup -Name "MyVNetSG" | Set-AzureNetworkSecurityRule -Name WEB -Type Inbound -Priority 100 -Action Allow -SourceAddressPrefix 'INTERNET'  -SourcePortRange '*' -DestinationAddressPrefix '*' -DestinationPortRange '*' -Protocol TCP

(from here https://azure.microsoft.com/en-us/blog/network-security-groups/)

[Pieter Germishuys]

Can you please give us the configuration you are using?

In a lot of cases, (this will probably change soon) you need to set --add-interface-prefixes=false as part of your configuration.

So I would say that your effective configuration should read something like this

---

IntIp: ipaddress

ExtIp: ipaddress

AddInterfacePrefixes: false

ExtHttpPrefixes: http://*:2113/

IntHttpPrefixes: http://*:2112/

[Jason Mitchell]

I have no configuration file at this point, just specifying command line arguments:

.\EventStore.ClusterNode.exe --db .\data --log .\logs --ext-http-prefixes="http://*:2113/"

I will try it with the additional configuration options you mentioned

[Jason Mitchell]

I've added the new network security rule but still have the same problem.  I'm almost certain now though that it's an issue on my azure configuration side.

[Jason Mitchell]

I'm using the Resource Manager model.  I've run an echo server over TCP on port 1113 and can't connect so like you said it must be an Azure configuration problem.

[Jason Mitchell]

Thanks for this.  I've got it connecting remotely now, it was a combination of the config settings below plus bad Azure configuration.

On Wednesday, 27 January 2016 06:26:21 UTC, Pieter Germishuys wrote:

[Madhu Gaddipati]

Hi Jason,

I have got same issue - I am using New Azure VM, and unable to connect Eventstore from public IP

Please show us steps how you managed to resolve ?

[Greg Young]

what is your config?

> --
> You received this message because you are subscribed to the Google Groups
> "Event Store" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to event-store...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

--
Studying for the Turing test

[Jason Mitchell]

We use these steps to setup event store on Linux in azure:

• Add ports 1113 and 2113 to the Inbound Security Rules in the Network Security group for the VM
• Run ifconfig to get the virtual IP of the server
• Edit /etc/eventstore/eventstore.conf to have the following config:
  

  ---
  IntIp: <insert virtual ip of server>
  ExtIp: <insert virtual ip of server>
  AddInterfacePrefixes: false
  IntHttpPrefixes: http://*:2112/
  ExtHttpPrefixes: http://*:2113/
  RunProjections: All
  ClusterSize: 1
  ---

  
  
  
• Start the service

[Greg Young]

Should be basically the same for windows except that its ipconfig the
rest of the config should be identical.

[Brian Gambs]

In the case of classic virtual machines, make sure you have an endpoint on the virtual machine that allows access to the port to which you are trying to connect.  In the case of RM virtual machines, make sure you have Network Security Groups configured on your vnet/vm/nic in whatever combination makes sense for your configuration to allow access to the port to which you are trying to connect.

Also the firewall on the VM, of course.

Brian

[Jag Padda]

HI,

I'm trying the same thing (newbie) and have the same issue. It's a simple dev environment, with a single node, server 2016 in Azure. I've disabled Windows Firewall (it's my throw-away dev). I've setup NSG allowing 2113 inbound and outbound.

I get exactly the same issue describe below. Can you please provide me with an example command line, or config file that I can run? I'd like external access to be available to EventStore on the VM.

Thanks

On Tuesday, 26 January 2016 14:32:17 UTC, Jason Mitchell wrote:

[James Nugent]

This sounds like you are binding to the wrong interfaces or not setting up the HTTP prefixes for NAT.

A generic configuration is impossible here, since it depends on the configuration of your machine.

James